From e583d9fc39b6597bddec70c36d9bbc6c2ff66e70 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 27 Sep 2022 23:52:22 +0200
Subject: [PATCH] Update proc_creation_win_w32tm.yml

---
 rules/windows/process_creation/proc_creation_win_w32tm.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml
index 55c1d2255..f3881508c 100644
--- a/rules/windows/process_creation/proc_creation_win_w32tm.yml
+++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml
@@ -24,7 +24,7 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate use
-level: medium
+level: high  # because unlikely legitimate use of that flag combination
 tags:
     - attack.discovery
     - attack.t1124